Distributed information generator and restoring device

ABSTRACT

Check data corresponding to distributed confidential information is generated, and the confidential information and check data are distribution-coded. When the confidential information is restored, the confidential information and check data are restored and it is determined whether or not the restored check data correspond to the restored confidential information. If the data correspond to the information, the information is determined to be correct and is output. If not, the information is judged to be false (i.e., tampered distributed information), and a symbol indicating that falsity has been detected is output.

TECHNICAL FIELD

This application is based upon and claims the benefit of priority fromJapanese patent application No. 2006-181433, filed on Jun. 30, 2006, andJapanese patent application No. 2006-240236, filed on Sep. 5, 2006, andJapanese patent application No. 2007-025482, filed on Feb. 5, 2007, thedisclosures of which are incorporated herein in its entirety byreference.

The present invention relates to a distributed information generator forsafely storing and distributing confidential information, and arestoring device for restoring stored confidential information.

BACKGROUND ART

When confidential information (for example, a secret key for use inencryption) is stored, there are the threat of loss or breakage of dataand the threat of theft of data. For the former threat, the creation ofa copy of confidential information would be effective, but the creationof the copy would result in an increase in the threat of theft. As oneinformation security technology for solving such a problem, there is asecret sharing scheme.

In a (k,n) threshold scheme, which is one secret sharing scheme,distribution-codes confidential information which is object ofprotection into n pieces of information, and the (k,n) threshold schemehas a feature that the confidential information can be restored if k ormore arbitrary pieces of distributed information are collected, and theinformation relating the confidence cannot be obtained if (k−1) or lessarbitrary pieces of distributed information are collected. Accordingly,even if up to (k−1) pieces of distributed information are stolen,confidential information cannot be read, and even if up to (n−k) piecesof distributed information are broken, confidential information can berestored. This (k,n) threshold scheme is described in detail, forexample, in Non-Patent Document 1 (Adi Shamir, “How to share a secret,”Comm. ACM, 22(11), pp. 612-613 (1979)).

In the following, consider problems when confidential information isrestored in a situation where distributed information is legitimatelycreated and distributed in accordance with a normal (k,n) thresholdscheme.

When confidential information is to be restored, distributed informationmust be collected from other sources which hold the distributedinformation. In this event, parties to whom a request has been made fordistributed information do not always supply the values, which they haveobtained, to a restoring party without tampering with them. In thisregard, “tampering” herein referred to includes not only intentionalchanges but also unintentional changes such as a failed device, simplemistake and the like.

If confidential information is restored using tampered distributedinformation, the resulting value can be a value different from theconfidential information. For this reason, an approach is desired topermit a secret sharing scheme to detect with a high probability that atampered value exists within distributed information for use inrestoration. Also, distributed information is obtained by a variety ofmeans, depending on how the information is used, so that it is desirablethat a tampered value be detected with a high degree of probability whendistributed information is obtained on the basis of any probabilitydistribution.

As one technology for solving these problems, a method described inNon-Patent Document 2 (Martin Tompa, Heather Woll, “How to Share aSecret with Cheaters,” Journal of Cryptology, vol. 1, pages 133-138,1988.) is known.

Non-Patent Document 2 describes a (k,n) threshold scheme which candetect falsity with a probability of (1−ε) when distributed informationis obtained on the basis of any probability distribution. In the methoddescribed in Non-Patent Document 2, when confidential information is aset of a number s of elements, distribution information is a set of anumber ((s−1)(k−1)/ε+k)̂2 of elements.

Also, Non-Patent Document 3 (Wakaha Ogata, Kaoru Kurosawa, Douglas RStinson, “Optimum Secret Sharing Scheme Secure Against Cheating,” SIAMJournal on Discrete Mathematics, vol. 20, no 1, pages 79-95, 2006.)describes a (k,n) threshold scheme which is capable of sensing falsitywith a probability of (1−ε) on condition that distributed information isselected in accordance with a uniform probability distribution. In themethod described in Non-Patent Document 3, when confidential informationis a set of a number s of elements, distribution information is a set ofa number (1+(s−1)/ε) of elements.

However, the conventional secret sharing schemes as described above hasa problem in which the amount of distributed information becomes largeas compared with the amount of confidential information.

SUMMARY

An exemplary object of the present invention to provide a distributedinformation generator and a restoring device which are capable ofdetecting falsity when confidential information is obtained on the basisof any probability distribution, and to require that the amount ofdistributed information be smaller as in the case of conventionaltechnologies.

To achieve the above object, the present invention generates check datacorresponding to confidential information to be distributed, anddistribution-codes the confidential information and check data,respectively. When the confidential information is restored, theconfidential information and check data are restored, respectively, todetermine whether or not the restored check data is data correspondingto the restored confidential data. The confidential information isdetermined to be correct when it corresponds to the restored check dataand is output, whereas the confidential information is determined to befalse (there is a tampered distributed information) when it does notcorrespond to the restored check data, and a symbol is output toindicate that falsity has been detected.

Falsity can be detected if it is determined whether or not the thusrestored check data corresponds to the restored confidentialinformation, and the data size of distributed information for theconfidential information can be reduced as compared with theconventional secret sharing scheme by using a data set which has asmaller number of elements as the check data.

Also, since check data can be uniformly selected at random, a high ratefor detecting falsity is ensured when confidential information isselected on the basis of any probability distribution.

BRIEF DESCRIPTION OF THE DRAWINGS

FIG. 1 is a block diagram showing an exemplary configuration of adistributed information generator of the present invention.

FIG. 2 is a block diagram showing an exemplary configuration of arestoring device of the present invention.

FIG. 3 is a block diagram showing an example of implementing thedistributed information generator and restoring device by a computer.

FIG. 4 is a flow chart showing the operation of the distributedinformation generator of the present invention.

FIG. 5 is a flow chart showing the operation of the restoring device ofthe present invention.

EXEMPLARY EMBODIMENT

Next, the exemplary embodiment of the present invention will bedescribed with reference to the drawings.

First, terms used in this specification will be described in brief.

Access Structure Refers to conditions under which confidentialinformation can be restored in a secret sharing scheme. In thisspecification, data indicative of the access structure is called “accessstructure data.”

Access Set: Refers to a set of distributed information which can restoreconfidential information in the secret sharing scheme.

Linear Secret sharing scheme: Refers to a secret sharing scheme whichcan generate distributed information W=(W_1, W_2, . . . , W_n) using ak*n matrix G in accordance with an equation of W=U*G, where (k−1)independent random numbers are represented by R_1, R_2, . . . , R_{k−1}and vector (S, R_1, R_2, . . . , R{k−1}) is represented by U. In thisspecification, the access structure will be described, giving the linearsecret sharing scheme as an example.

Function Specifying Data: Refers to data for uniquely specifyingelements (elements) of function set H. In this specification, a functionwhich is an element of function set H and which is uniquely specified byfunction specifying data k is designated by H_k.

Confidential information data set S: Refers to a set of confidentialinformation s which is object of keeping.

Distributed Confidential Information Data Set BS: Refers to a set ofdata (distributed information) resulting from distributive coding ofconfidential information s.

Data Set BC for Distribution Checking: Refers to a set of check datawhich is generated to correspond with confidential information s.

A confidential information distribution system of the present inventiongenerates check data corresponding to confidential information when theconfidential information is to be stored, distribution-codes theconfidential information and check data, respectively, in accordancewith an access structure indicative of access structure data of a secretsharing scheme, and stores them in a storage device.

Also, when confidential information is restored, distribution-codedconfidential information and distribution-coded check data are read froma plurality of storage devices corresponding to an access set of theaccess structure to restore the confidential information and check data.Then, it is determined whether or not the restored check datacorresponds to the confidential information, and the restoredconfidential information is determined to be correct when it correspondsthereto, and is determined to be false (tampered) when it does notcorrespond thereto.

The confidential information distribution system of the presentinvention comprises distributed information generator 102, restoringdevice 200, and a plurality of storage devices 301_1-301_n. Storagedevices 301_1-301_n comprises distributed confidential informationstorage devices 302_1-302_n for storing elements of distributedconfidential information data set BS, and distributed check data storagedevices 303_1-303_n for storing elements of distributed check data setBC.

First, the configuration of distributed information generator 102 willbe described with reference to FIG. 1.

FIG. 1 is a block diagram showing an exemplary configuration ofdistributed information generator 102.

As shown in FIG. 1, distribution information generator 102 comprisescheck data generator 104, confidential information distributing device103, and check data distributing device 105.

Distributed information generator 102 is applied with confidentialinformation s which comprises elements (elements) of confidentialinformation data set S, and access structure data indicative of anaccess structure in accordance with a linear secret sharing scheme.Distributed information generator 102 stores distributed informationwhich comprises elements of distributed confidential information dataset BS in distributed confidential information storage device 302 ofstorage device 301 specified by the access structure data. Also, thecheck data, which comprises elements of distributed check data set BC,is stored in distributed check data storage device 303 of storage device301 specified by the access structure data.

Check data generator 104 is applied with elements s of confidentialinformation data set S. Check data generator 104 can efficiently andrandomly select function specifying data a with which arbitrary elementy of output set B and arbitrary element x of input set S satisfyH_a(x)=y, when a function set is H, where confidential information dataset S is the input set, and the output set is B.

In this exemplary embodiment, when arbitrary different elements of inputset S are x_1 and x_2: an arbitrary function specifying data is c; a setof function specifying data k including the c is K; a falsity detectionprobability is (1−δ); a function set represented by |{b|b}εK,H_b(x_1)=y, H_{b+c}(x_2)=y}|/|{b|bεK, H_b(x_1)=y}|≦δ is H. Functionspecifying data k which satisfies H_k(x)=y is randomly selected, and theselected function specifying data k is output as check datacorresponding to x_1 and x_2.

Confidential information distributing device 103 is applied withelements of confidential information data set S and the access structuredata. Confidential information distributing device 103 stores elementsof distributed confidential information data set BS in distributedconfidential information storage device 302 of storage device 301specified by the access structure data.

Check data distributing device 105 is applied with elements of input setK and the access structure data. Check data distributing device 105stores elements of distributed check data set BC in distributed checkdata storage device 303 of storage device 301 specified by the accessstructure data.

Next, the configuration of restoring device 200 will be described withreference to FIG. 2.

FIG. 2 is a block diagram showing an exemplary configuration ofrestoring device 200.

As shown in FIG. 2, restoring device 200 comprises confidentialinformation restoring device 201, check data restoring device 202, andfalsity detection device 203.

Restoring device 200 is applied with the access structure dataindicative of the access structure in accordance with the linear secretsharing scheme. Restoring device 200 reads and restores elements ofdistributed confidential information data set BS from distributedconfidential information storage devices 302_1-302_n contained instorage devices 301_1-301_n, reads and restores elements of distributedcheck data set BC from distributed check data storage devices303_1-303_n, and outputs a symbol which indicates that elements ofrestored confidential information data set S, or a false share(distributed information) have been detected.

Confidential information restoring device 201 is applied with the accessstructure data. Confidential information restoring device 201 readselements of distributed confidential information data set BS fromdistributed confidential information storage device 302 contained instorage device 301, and outputs elements of restored confidentialinformation data set S.

Check data restoring device 202 is applied with the access structuredata. Check data restoring device 202 reads elements of distributedcheck data set BC from distributed check data storage device 303contained in storage device 301, and outputs elements of restoredfunction specifying data set K.

Falsity detection device 203 is applied with elements of confidentialinformation data set S restored by confidential information restoringdevice 201, and elements of function specifying data set K restored bycheck data restoring device 202, and outputs elements of restoredconfidential information data set S when H_k(s)=y is satisfied, andoutputs a symbol which indicates that a false share has been detectedwhen not satisfied.

Distributed information generator 102 and restoring device 200 areimplemented by a semiconductor integrated circuit, for example, LSI(large Scale Integration), DSP (Digital Signal Processor) or the likewhich comprises logic circuits and the like.

Alternatively, distributed information generator 102 and restoringdevice 200 may be implemented by a computer, as shown in FIG. 3, whichcomprises processing device 10 for executing predetermined processing inaccordance with a program; an input device 20 for inputting commands,information and the like to processing device 10; and output device 30for monitoring processing results of processing device 10.

Processing device 10 shown in FIG. 3 comprises CPU 11; main storagedevice 12 for temporarily storing information required for processing ofCPU 11; recording medium 13 which has recorded thereon a program forcausing CPU 11 to execute processing as distributed informationgenerator 102 or as restoring device 200, later described; data storagedevice 14 for storing confidential information and access structuredata; memory control interface unit 15 for controlling data transfersamong main storage device 12, recording medium 13, and data storagedevice 14; and I/O interface unit 16 which is an interface device withinput device 20 and output device 30, all of which are connected throughbus 18. In this regard, data storage device 14 need not reside withinprocessing device 10, but may be provided independently of processingdevice 10. Also, data storage device 14 may be used as storage device301 which comprises security confidential information storage device 302and distributed check data storage device 303.

Processing device 10 implements functions as distributed informationgenerator 102 and restoring device 200, later described, in accordancewith a program recorded on recording medium 13. Recording medium 13 maybe a magnetic disk, a semiconductor memory, an optical disk, or anotherrecording medium.

Next, the operation of the confidential information distribution systemof the present invention will be described with reference to FIGS. 4 and5.

FIG. 4 is a flow chart showing the operation of the distributedinformation generator, while FIG. 5 is a flow chart showing theoperation of restoring device 200.

As shown in FIG. 4, distributed information generator 102 is appliedwith access structure data which is data indicative of an accessstructure, for example, in accordance with a linear secret sharingscheme, and confidential information s which comprises elements ofconfidential information data set S (step A1).

When confidential information distributing device 103 is applied withthe access structure data and confidential information s, distributedinformation generator 102 distribution-codes confidential information sin an access structure corresponding to the access structure data, andstores the coded confidential information in distributed confidentialinformation storage device 302 of storage device 301 (step A2).

Also, distributed information generator 102 randomly generates functionspecifying data k which satisfies aforementioned H_k(s)=y, based onconfidential information s, by check data generator 104 (step A3).

Distributed information generator 102 distribution-codes functionspecifying data k in an access structure corresponding to the accessstructure data, based on the access structure data and functionspecifying data k, by check data distributing device 104, and stores thecoded function specifying data in distributed check data storage device303 of storage device 301 (step A4).

As shown in FIG. 5, restoring device 200 is applied with accessstructure data indicative of the access structure of the linear secretsharing scheme (step B1). Restoring device 200 reads data stored instorage device 301 corresponding to an access set indicated by theaccess structure data (step B2).

Restoring device 200 restores elements s′ of confidential informationdata set S using a restoring method corresponding to the distributivecoding method used by confidential information distributing device 103by confidential information restoring device 201 based on the data readfrom distributed confidential information storage device 302 of storagedevice 301 and the access structure data (step B3).

Also, restoring device 200 restores elements k′ of function specifyingdata set K using a restoring method corresponding to the distributivecoding method used by check data distributing device 105 by check datarestoring device 202 based on the data read from distributed check datastorage device 303 of storage device 301 and the access structure data(step B4).

Next, restoring device 200 checks whether or not H_k′(s′)=y by falsitydetection device 203 using elements s′ of confidential information dataset S restored by confidential information restoring device 201 andelements k′ of function specifying data set K restored by check datarestoring device 202, to determine whether or not s′ is datacorresponding to k′ (step B5). Restoring device 200 outputs s′ when s′is data corresponding to k′ (step B6), and outputs a symbol indicativeof a false detection when s′ is not data corresponding to k′ (step B7).

According to the present invention, falsity can be detected bydetermining whether or not restored check data corresponds to restoredconfidential information, and the data size of distributed informationcan be reduced if a data set having a smaller number of elements is usedas check data. Also, since the check data can be uniformly selected atrandom, a high rate for detecting falsity can be ensured when theconfidential information is selected on the basis of any distribution.It is therefore possible to detect falsity when the confidentialinformation is selected on the basis of any distribution, and the datasize of the distributed information is reduced for the confidentialinformation, as compared with the conventional secret sharing scheme.

First Example

A confidential information distribution system of a first example is anexample in which Z/pZ is used for a data set of confidentialinformation, H_{e_0, e_1}(x)=e_0−x*e_1 is used as function set H whenfunction specifying data is a set of elements e_0, e_1 of Z/pZ, and aninput set comprises elements x of Z/pZ, and data indicative of an accessstructure of a (k,n) threshold scheme is used as access structure dataof a linear secret sharing scheme. In this regard, Z/pZ is a finitefield for prime number p, and the use of addition in the finite field isrepresented by “+”; subtraction by “−”; multiplication by “*”; anddivision by “/.”

In check data generator 104 of the first example, function specifyingdata a_1, a_2, which satisfy H_{a_1, a_2}(x)=0 can be randomly selectedas check data for arbitrary elements x of Z/pZ.

Here, when a function specifying data set of H is designated by K forarbitrary different elements x_1, x_2 of Z/pZ and for arbitrary functionspecifying data c_1, c_2, |{b_1, b_2|b_1, b_2 Z/pZ, H_{b_1, b_2}(x−1)=0,H_{(b_1+c_1), (b_2+c_2)}(x_2)=0}|/|{b_1, b_2|b_1, b_2 Z/pZ, H_{b_1,b_2}(x_1)=0}|=1/p are established.

Data indicative of an access structure of the (k,n) threshold scheme isspecifically comprised of k, n which are positive integers, and {i_1,i_2, . . . , i_n} which comprises a set of elements of Z/pZ. However,assume that k, n, p satisfy k≦n≦p−1.

In this regard, assume that confidential information distributing device103 and check data distributing device 104 distribution-codeconfidential information and check data using the (k,n) threshold schemedescribed in Non-Patent Document 1, and that confidential informationrestoring device 201 and check data restoring device 202 restoreconfidential information and check data using a restoring methodcorresponding to the (k,n) threshold scheme.

Next, a description will be given of distributed information generator102 and restoring device 200 of the first example.

Distributed information generator 102 of the first example is appliedwith access structure data k, n, {i_1, i_2, . . . , i_n}, andconfidential information S.

Distributed information generator 102 randomly generates a (k−1)thpolynomial which has a constant term of s on Z/pZ by confidentialinformation distributing device 103, when it is applied with accessstructure data k, n, {i_1, i_2, . . . , i_n}, and confidentialinformation s. This (k−1)th polynomial is designated by f_s(x).

Confidential information distributing device 103 calculates f_s(i_1),f_s(i_2), . . . , f_s(i_n), and stores the calculation result indistributed confidential information storage device 302_{i_1} of storagedevice 301_{i_1}, distributed confidential information storage device302_{i_2} of storage device 301_{i_2}, . . . , distributed confidentialinformation storage device 302_{i_n} of storage device 301_{i_n}.

Check data generator 104 randomly generates e_0 and e_1 which satisfye_0−s*e_1=0 based on confidential information s.

Check data distributing device 104 randomly generates a (k−1)thpolynomial which has a constant term of e_0 on Z/pZ and a (k−1)thpolynomial which has a constant term of e_1 on Z/pZ, based on accessstructure data k, n, {i_1, i_2, . . . , i_n} and e_0, e_1. They aredesignated by f_{e_0}(x), f_{e_1}(x).

Check data distributing device 104 calculates f_{e_0}(i_1),f_{e_0}(i_2), . . . , f_{e_0}(i_n) and f_{e_1}(i_1), f_{e_1}(i_2), . . ., f_{e_1}(i_n), and stores (f_{e_0}(i_1), f_{e_1}(i_1)) in distributedcheck data storage device 303_{i_1}; stores (f_{e_0}(i_1), f_{e_1}(i_1))in distributed check data storage device 303_{i_-2} of storage device301_{i_2}; . . . ; stores (f_{e_0}(i_1), f_{e_1}(i_1)) in distributedcheck data storage device 303{i_n} of storage device 301_{i_n}.

On the other hand, restoring device 200 of the first example is appliedwith access structure data k, n, {i_1, i_2, . . . , i_n}.

Restoring device 200 reads data from each distributed confidentialinformation storage device 302 of storage devices 303 _(—{j)_1},301_{j_2}, 301_{j_k}. These data are designated by bs_{j_1}, bs_{j_2}, .. . , bs_{j_k},

Confidential information restoring device 201 is applied with j_1,bs_{j_1}), (j_2, bs_{j_2}), . . . , (j_k, bs_{j_k}, and generates g_s(0)of (k−1)th polynomial g_s(x) on Z/pZ which passes through coordinates(j_1, bs_{j_1}), (j_2, bs_{j_2}), . . . , (j_k, bs_{j_k}). Specifically,g_s(0) is calculated by a method which solves simultaneous equations, amethod which uses Lagrange interpolation, or the like.

Also, restoring device 200 reads data from each distributed check datastorage device 303 of storage devices 301_{j−1}, 301_{j_2}, . . . ,301_{j_k}. These data are designated by (be0_{j_1}, be1_{j_1}),(be0_{j_2}, be1_{j_2}), . . . , (be0_{j_k}, be1_{j_k}).

Check data restoring device 202 is applied with (j_1, be0_{j_1},be1_{j_1}), (j_2, be0_{j_2}, be1_{j_2}), . . . , (j_k, be0_{j_k},be1_{j_k}), and generates g_e0(0) of (k−1)th polynomial g_e0(x) on Z/pZwhich passes through coordinates (j_1, be0_{j_1}), (j_2, be0_{j_2}), . .. , (j_k, be0_{j_k}), and g_e1(0) of (k−1)th polynomial g_e1(x) on Z/pZwhich passes through coordinates (j_1, be1_{j_1}), (j_2, be1_{j_2}), . .. , (j_k, be1_{j_k}). Specifically, g_e0(0) and g_e1(0) are calculatedby a method which solves simultaneous equations, a method which usesLagrange interpolation, or the like.

Falsity detection device 203 is applied with g_e0(x), g_s(0), g_e1(0) todetermine whether or not g_0(x), g_s(0), g_e1(0) satisfyg_e0(x)+g_s(0)*g_e1(0)=0. Falsity detection device 203 outputs g_s(0)when they satisfy the requirement, and outputs, for example, “Γ” as asymbol which indicates that falsity has been detected when they do notsatisfy the requirement.

In the confidential information distribution system of the firstexample, the size of the confidential information is p, the size of thedistributed information is p̂3, and the false detection rate is (1−1/p).

Here, when the size of the confidential information is designated by s,and the falsity detection rate by (1−ε), the size of the distributedinformation can be represented by s*(1/ε)̂2.

The size of the distributed information is ((s−1)(k−1)/ε+k)̂2 in thesecret sharing scheme described in the aforementioned Non-PatentDocument 2. Assuming, for example, k=2, p=2̂80, ε=½̂80, the size of thedistributed information is approximately 2̂240 in the first example,while the size of the distributed information is approximately 2̂320 inthe method described in Non-Patent Document 2.

It can be understood, therefore, that the confidential informationdistribution system of the first example can detect falsity, andprovides the distributed information which is reduced in size ascompared with the conventional method.

Second Example

A second example is an example in which (Z/pZ)̂N is used for a data setof confidential information, H_{e_0, e_1}(x_1, x_2, . . . ,x_N)=e_0−(x_1*e_1+x_2*e_1̂2+ . . . +x_{N−1}*e_1̂{N−1}+x_N*e_1̂{N+1}) isused as function set H when function specifying data is a set ofelements e_0, e_1 of Z/pZ, and an input set comprises elements x (x_1,x_2, . . . , x_N) of (Z/pZ)̂N, and data indicative of an access structureof a (k,n) threshold scheme is used as access structure data of a linearsecret sharing scheme. In this regard, (Z/pZ)̂N is an N-th expansionfield (N is a positive integer) of a finite field for prime number p,and the use of addition in the expansion field is represented by “+”;subtraction by “−”; multiplication by “*”; and division by “/.”

In check data generator 104 of the second example, function specifyingdata a_1, a_2, which satisfy H_{a_1, a_2}(x)=0 can be randomly selectedas check data for elements x of arbitrary (Z/pZ)̂N.

Here, when arbitrary different elements of (Z/pZ)̂N are designated byx_1, x_2, arbitrary function specifying data are designated by c_1, c_2,and a function specifying data set of H is designated by K, |{b_1,b_2|b_1, b_2 Z/pZ, H_{b_1, b_2}(x−1)=0, H_{(b_1+c_1),(b_2+c_2)}(x_2)=0}|/|{b_1, b_2|b_1, b_2 Z/pZ, H_{b_1,b_2}(x_1)=0}|=(N+1)/p are established.

Data indicative of an access structure of the (k,n) threshold scheme isspecifically comprised of k, n which are positive integers, and {i_1,i_2, . . . , i_n} which comprises a set of elements of Z/pZ. However,assume that k, n, p satisfy k≦n≦p−1.

In this regard, assume that confidential information distributing device103 and check data distributing device 104 distribution-codeconfidential information and check data using the (k,n) threshold schemedescribed in Non-Patent Document 1, and confidential informationrestoring device 201 and check data restoring device 202 restoreconfidential information and check data using a restoring methodcorresponding to the (k,n) threshold scheme.

Next, a description will be given of distributed information generator102 and restoring device 200 of the second example.

Distributed information generator 102 of the second example is appliedwith access structure data k, n, {i_1, i_2, . . . , i_n}, andconfidential information s=(s_1, s_2, . . . , s_N).

Distributed information generator 102 randomly generates a (k−1)thpolynomial which has a constant term of s on GF(p̂N) by usingconfidential information distributing device 103, based on accessstructure data k, n, {i_1, i_2, . . . , i_n}, and confidentialinformation s. This (k−1)th polynomial is designated by f_s(x).

Confidential information distributing device 103 calculates f_s(i_1),f_s(i_2), . . . , f_s(i_n), and stores the calculation result indistributed confidential information storage device 303_{i_1} of storagedevice 301_{i_1}, distributed confidential information storage device303_{i_2} of storage device 301_{i_2}, . . . , distributed confidentialinformation storage device 303_{i_n} of storage device 301_{i_n}.

Check data generator 104 is applied with confidential informations=(s_1, s_2, . . . , s_N), and randomly generates e_0 and e_1 whichsatisfy e_0−(s_1*e_1+s_2*e_1̂2+, . . . ,+s_{N−1}*e_1̂{N−1}+s_N*e_1̂{N+1})=0.

Check data distributing device 105 is applied with access structure datak, n, {i_1, i_2, . . . , i_n} and e_0, e_1 which have been generated bycheck data generator 104, and randomly generates a (k−1)th polynomialwhich has a constant term of e_0 on Z/pZ and a (k−1)th polynomial whichhas a constant term of e_1 on Z/pZ. They are designated by f_{e_0}(x),f_{e−11}(x).

Check data distributing device 105 calculates f_{e_0}(i_1),f_{e_0}(i_2), . . . , f_{e_0}(i_n) and f_{e_1}(i_1), f_{e_1}(i_2), . . ., f_{e_1}(i_n), and stores (f_{e_0}(i_1), f_{e_1}(i_1)) in distributedcheck data storage device 303_{i_1} of storage device 301_{i−1}; stores(f_{e_0}(i_1), f_{e_1}(i_1)) in distributed check data storage device303_{i_2} of storage device 301_{i_2}; . . . ; stores (f_{e_0}(i_1),f_{e_1}(i_1)) in distributed check data storage device 303_{i_n} ofstorage device 301_{i_n}.

On the other hand, restoring device 200 of the second example is appliedwith access structure data k, n, {i_1, i_2, . . . , i_n}.

Confidential information restoring device 201 reads data from eachdistributed confidential information storage device 302 of storagedevices 301_{j_1}, 301_{j_2}, . . . , 301_{j_k}. These data aredesignated by bs_{j_1}, bs_{j_2}, . . . , bs_{j_k},

Confidential information restoring device 201 is applied with (j_1,bs_{j_1}), (j_2, bs_{j_2}), . . . , (j_k, bs_{j_k} read from distributedconfidential information storage device 302, and generates g_s(0) of(k−1)th polynomial g_s(x) on GF(p̂N) which passes through coordinates(j_1, bs_{j_1}), (j_2, bs_{j_2}), . . . , (j_k, bs_{j_k}). Specifically,g_s(0) is calculated by a method which solves simultaneous equations, amethod which uses Lagrange interpolation, or the like. Here, this g_s(0)is regarded as elements of (Z/pZ)̂N, and is designated by (gs1, gs2, . .. , gsN).

Check data restoring device 202 reads data from each distributed checkdata storage device 303 of storage devices 301_{j−1}, 301_{j_2}, . . . ,301_{j_k}. They are designated by (be0_{j_1}, be1_{j_1}), (be0_{j_2},be1_{j_2}), . . . , (be0_{j_k}, be1_{j_k}).

Check data restoring device 202 is applied with (j_1, be0_{j_1},be1_{j_1}), (j_2, be0_{j_2}, be1_{j_2}), . . . , (j_k, be0_{j_k},be1_{j_k}), and generates g_e0(0) of (k−1)th polynomial g_e0(x) on Z/pZwhich passes through coordinates j_1, be0_{j_1}), (j_2, be0_{j_2}), . .. , (j_k, be0_{j_k}), and g_e1(0) of (k−1)th polynomial g_e1(x) on Z/pZwhich passes through coordinates (j_1, be1_{j_1}), (j_2, be1_{j_2}), . .. , (j_k, be1_1{j_k}).

Specifically, g_e0(x) and g_e1(x) are calculated by a method whichsolves simultaneous equations, a method which uses Lagrangeinterpolation, or the like.

Next, falsity detection device 203 is applied with g_s(0), g_e0(0),g_e1(0) to determine whether or not g_s(0), g_e0(0), g_e1(0) satisfyg_e0(0)−(gs1*g_e1(0)+gs2*g_el(0)̂2+, . . . ,+gs{N−1}*g_e1(0)̂{N−1}+gsN*g_el(0)̂{N+1})=0. Falsity detection device 203outputs g_s(0) when they satisfy the requirement, and outputs, forexample, “Γ” as a symbol which indicates that falsity has been detectedwhen they do not satisfy the requirement.

In the confidential information distribution system of the secondexample, the size of the confidential information is p̂N, the size of thedistributed information is p̂(N+2), and a false detection rate is(1−(N+1)/p).

Here, when the size of the confidential information is designated by s,and the falsity detection rate by (1−ε), the size of the distributedinformation can be represented by s*(1/ε)̂2*(1+log_ps)̂2.

The size of the distributed information is ((s−1)(k−1)/□+k)̂2 in thesecret sharing scheme described in the aforementioned Non-PatentDocument 2. Assuming, for example, k=2, p=2̂90, N=10, ε=½̂80, the size ofthe distributed information is approximately 2̂90180 in the secondexample, while the size of the distributed information is approximately2̂180160 in the secret sharing scheme described in Non-Patent Document 2.

It can be understood, therefore, that the confidential informationdistribution system of the second example can detect falsity, andprovides the distributed information which is reduced in size ascompared with the conventional method.

Third Example

A third example is an example in which (Z/pZ)̂N is used for a data set ofconfidential information, H_{e_0, e_1}(x_1, x_2, . . . ,x_N)=e_0−(x_1*e_1+x_2*e_1̂2+ . . .+x_N*e_1̂N+e_1̂(N+1)+e_1̂(N+2)+e_1̂(N+4)) is used as function set H whenfunction specifying data is a set of elements e_0, e_1 of Z/pZ, and aninput set comprises elements (x_1, x_2 . . . , x_N) of (Z/pZ)̂N, and dataindicative of an access structure of a (k,n) threshold scheme is used asaccess structure data of a linear secret sharing scheme. In this regard,like the second example, (Z/pZ)̂N is an N-th expansion field (N is apositive integer) of a finite field for prime number p, and the use ofaddition in the expansion field is represented by “+”; subtraction by“−”; multiplication by “*”; and division by “/.”

In check data generator 104 of the third example, function specifyingdata a_1, a_2, which satisfy H_{a_1, a_2}(x)=0 can be randomly selectedas check data for elements x of arbitrary (Z/pZ)̂N.

Here, when arbitrary elements of (Z/pZ)̂N are designated by x_1, x_2, anarbitrary positive integer is designated by a, arbitrary functionspecifying data are designated by c_1, c_2, and a function specifyingdata set of H is designated by K, |{b_1, b_2|b_1, b_2εZ/pZ, H_{b_1,b_2}(x−1)=0, H_{(a*b_1+c_1), (a*b_2+c_2)}(x_2)=0}|/|{b_1, b_2|b_1, b_2Z/pZ, H_{b_1, b_2}(x_1)=0}|=N/p are established.

Data indicative of an access structure of the (k,n) threshold scheme isspecifically comprised of k, n which are positive integers, and {i_1,i_2, . . . , i_n} which comprises a set of elements of Z/pZ. However,assume that k, n, p satisfy k≦n≦p−1.

In this regard, assume that confidential information distributing device103 and check data distributing device 104 distribution-codeconfidential information and check data using the (k,n) threshold schemedescribed in Non-Patent Document 1, and that confidential informationrestoring device 201 and check data restoring device 202 restoreconfidential information and check data using a restoring methodcorresponding to the (k,n) threshold scheme.

Next, a description will be given of distributed information generator102 and restoring device 200 of the third example.

Distributed information generator 102 of the third example is appliedwith access structure data k, n, {i_1, i_2, . . . , i_n}, andconfidential information s=(s_1, s_2, . . . , s_N).

Distributed information generator 102 randomly generates a (k−1)thpolynomial which has a constant term of s on GF(P̂N) by usingconfidential information distributing device 103, based on accessstructure data k, n, {i_1, i_2, . . . , i_n}, and confidentialinformation s. This (k−1)th polynomial is designated by f_s(x).

Confidential information distributing device 103 calculates f_s(i_1),f_s(i_2), . . . , f_s(i_n), and stores the calculation result indistributed confidential information storage device 303{i_1} of storagedevice 301_{i_1}, distributed confidential information storage device303_{i_2} of storage device 301_{i_2}, . . . , distributed confidentialinformation storage device 303_{i_n} of storage device 301_{i_n}.

Check data generator 104 is applied with confidential informations=(s_1, s_2, . . . , s_N), and randomly generates elements e_0 and e_1of Z/pZ which satisfy e_0−(s_1*e_1+s_2*e_1̂2+ . . . +s_N*e_1̂N+e_1̂(N+1)+e_1̂(N+2)+e+1̂(N+4))=0.

Check data distributing device 105 is applied with access structure datak, n, {i_1, i_2, . . . , i_n} and e_0, e_1 which have been generated bycheck data generator 104, and randomly generates a (k−1)th polynomialwhich has a constant term of e_0 on Z/pZ and a (k−1)th polynomial whichhas a constant term of e_1 on Z/pZ. They are designated by f_{e_0}(x),f_{e−1}(x).

Check data distributing device 105 calculates f_{e_0}(i_1), f{e_0}(i_2),. . . , f_{e_0}(i_n) and f_{e_1}(i_1), f_{e_1}(i_2_, . . . ,f_{e_1}(i_n), and stores (f{e_0}(i_1), f_{e_1}(i_1)) in distributedcheck data storage device 302_{i_1} of storage device 301_{i_1}; stores(f{e_0}(i_1), f_{e_1}(i_1)) in distributed check data storage device302_{i_2} of storage device 301_{i_2}; . . . ; stores (f_{e_0}(i_1),f_{e_1}(i_1)) in distributed check data storage device 302_{i_n} ofstorage device 301_{i_n}.

On the other hand, restoring device 200 of the third example is appliedwith access structure data k, n, {i_1, i_2, . . . , i_n}.

Confidential information restoring device 201 reads data from eachdistributed confidential information storage device 302 of storagedevices 301_{j_1}, 301_{j_2}, . . . , 301_{j_k}. These data aredesignated by bs_{j_1}, bs_{j_2}, . . . , bs_{j_k},

Confidential information restoring device 201 is applied with (j_1,bs_{j_l}), (j_2, bs_{j_2}), . . . , (j_k, bs_{j_k} read from distributedconfidential information storage device 302, and generates g_s(0) of(k−1)th polynomial g_s(0) on GF(p̂N) which passes through coordinatesj_1, bs_{j_1}), (j_2, bs_{j_2}), . . . , (j_k, bs_{j_k}). Specifically,g_s(0) is calculated by a method which solves simultaneous equations, amethod which uses Lagrange interpolation, or the like. Here, this g_s(0)is regarded as elements of (Z/pZ)̂N, and is designated by (gs1, gs2, . .. , gsN).

Check data restoring device 202 reads data from each distributed checkdata storage device 303 of storage devices 301_{j_1}, 301_{j_2)}, . . ., 301 _(—{j)_k}. They are designated by (be0_{j_1}, be1_{j_1}),(be0_{j_2}, be1_{j_2}), . . . , (be0_{j_k}, be1_{j_k}).

Check data restoring device 202 is applied with (j_1, be0_{j_1},be1_{j_1}), (j_2, be0_{j_2}, be1_{j_2}), . . . , (j_k, be0_{j_k},be1_{j_k}), and generates g_e(0) of (k−1)th polynomial g_e0(x) on Z/pZwhich passes through coordinates (j_1, be0_U{j_1}), (j_2, be0_{j_2}), .. . , (j_k, be0_{j_k}), and g_e1(0) of (k−1)th polynomial g_e1(x) onZ/pZ which passes through coordinates (j_1, be1_{j_1}), (j_2,be1_{j_2}), . . . , (j_k, be1_{j_k}).

Specifically, g_e0(x) and g_e1(x) are calculated by a method whichsolves simultaneous equations, a method which uses Lagrangeinterpolation, or the like.

Next, falsity detection device 203 is applied with g_s(0), g_e0(0),g_e1(0) to determine whether or not g_s(0), g_e0(0), g_e1(0) satisfyg_e0(0)−gs1*g_e1(0)+gs2*g_el(0)̂2+ . . .+gsN*g_e1(0)̂N+g_el(0)̂(N+1)+g_el(0)̂(N+2)+g_el(0)̂(N+4))=0. Falsitydetection device 203 outputs g_s(0) when they satisfy the requirement,and outputs, for example, “Γ” as a symbol which indicates that falsityhas been detected when they do not satisfy the requirement.

In the confidential information distribution system of the thirdexample, the size of the confidential information is p̂N, the size of thedistributed information is p̂(N+2), and the false detection rate is(1−(N+3)/p).

The confidential information distribution system of the third examplecan detect falsity which is not assumed in the first example and secondexample. Specifically, the first example and second example can detecttampered be0_{j} and be1_{j} among information (j, be0_{j}, be1_{j})stored in distribution checking storage data device 303, and do notassume tampered j. J is data corresponding to storage device 301 _(—) j,and is comparable to the identifier of the storage device, so thattampered j can be regarded as falsity corresponding to spoofing of thestorage device. The third example is characterized by the ability todetect aforementioned tampered j, and a system capable of detectingfalsity to spoofing can be built in accordance with the third example.

1. (canceled)
 2. (canceled)
 3. A distributed information generatorcomprising: a check data generator for generating check datacorresponding to confidential information; a confidential informationdistributing device for distribution-coding the confidential informationin accordance with access structure data indicative of an accessstructure of a linear secret sharing scheme; and a check datadistributing device for distribution-coding the check data in accordancewith access structure data indicative of the same access structure asthe access structure in accordance with which the confidentialinformation is distribution-coded, wherein said check data generator is:a device which is applied with elements s of confidential informationdata set S; and randomly selects and outputs function specifying data kfor uniquely specifying elements of function set H which satisfyH_k(x)=y, wherein said function set H satisfies |{b|b□K, H_b(x_1)=y,H_{b+c}(x_2)=y}|/|{b|b□K, H_b(x_1)=y}|<δ for arbitrary elements x_1 andx_2 of said confidential information data set S which differ from eachother, and arbitrary function specifying data c of said function set H,where K designates a set of said function specifying data, and (1−δ)designates a falsity detection probability.
 4. (canceled)
 5. Thedistributed information generator according to claim 3, wherein saidcheck data generator: employs (Z/pZ)̂N as confidential information dataset S, where N is a positive value, and p is a prime number; andrandomly selects e_0 and e_1 of Z/pZ which satisfye_0−(x_1*e_1+x_2*e_1̂2+ . . . +x_{N−1}*e_1̂{N−1}+x_{N}*e_1̂{N+1})=0 forelements (x_1, x_2, . . . , x_N) of said confidential information dataset S, and outputs the same as said check data.
 6. (canceled) 7.(canceled)
 8. A restoring device comprising: a storage device forstoring confidential information distribution-coded in accordance withan access structure data indicative of an access structure of a linearsecret sharing scheme, and distribution-coded data of check datagenerated to correspond with said confidential information; aconfidential information restoring device for reading distribution-codedconfidential information from said storage device corresponding to anaccess set of said access structure to restore said confidentialinformation in accordance with said access structure data; a check datarestoring device for reading distribution-coded check data from saidstorage device corresponding to the access set of said access structureto restore said check data in accordance with said access structuredata; and a falsity detection device for outputting restoredconfidential information when check data restored by said check datarestoring device corresponds to confidential information restored bysaid confidential information restoring device, and for outputting asignal indicative of falsity when the restored check data does notcorrespond to the restored confidential information, wherein whenarbitrary different elements of input set S, which are input as saidconfidential information, are x_1 and x_2: an arbitrary functionspecifying data which is data for uniformly specifying elements offunction set H is c; a set of said function specifying data is K; afalsity detection probability is (1−δ), H satisfies |{b|b□K, H_b(x_1)=y,H_{b+c}(x_2)=y}|/|{b|b□K, H_b(x_1)=y}|≦δ, wherein: said falsitydetection device determines that the check data restored by said checkdata restoring device corresponds to the confidential informationrestored by said confidential information restoring device, when saidfunction specifying data k which is the restored check data and restoredconfidential information x satisfy H_k(x)=y.
 9. (canceled)
 10. Therestoring device according to claim 8, wherein: when N is an integer,and p is a prime number; and when said function specifying data e_0, e_1which are restored check data and which are elements of Z/pZ, and when(x_1, x_2, x_N) which are restored confidential information and whichare elements of (Z/pZ)̂N satisfy e_0−(x_1*e_1+x_2*e_1̂2+ . . .+x_{N−1}*e_1{N−1 }+x_N*e_1̂{N+1})=0, said falsity detection devicedetermines that the check data restored by said check data restoringdevice correspond to the confidential information restored by saidconfidential information restoring device.
 11. (canceled)
 12. (canceled)13. A confidential information distribution system comprising: thedistributed information generator according to claim 3; and therestoring device according to claim
 8. 14. (canceled)
 15. A confidentialinformation distribution system comprising: the distributed informationgenerator according to claim 5; and the restoring device according toclaim
 10. 16. (canceled)
 17. (canceled)
 18. A computer-readablerecording medium storing a program which causes a computer to: generatecheck data corresponding to confidential information; distribution-codesaid confidential information in accordance with access structure dataindicative of an access structure of a linear secret sharing scheme, andstore the coded confidential information in a storage device; anddistribution-code the check data in accordance with access structuredata indicative of the same access structure as the access structure inaccordance with which the confidential information isdistribution-coded, and store the coded check data in the storagedevice, said program further causing the computer to: receive elements sof confidential information data set S; and randomly select functionspecifying data k for uniquely specifying elements of function set Hwhich satisfy H_k(x)=y, and to output the same as said check data,wherein: said function set H satisfies |{b|b□K, H_b(x_1)=y,H_{b+c}(x_2)=y}|/|{b|b□K, H_b(x_1)=y}|≦δ for arbitrary elements x_1 andx_2 of said confidential information data set S which differ from eachother, and arbitrary function specifying data c of said function set H,where K designates a set of said function specifying data, and (1−δ)designates a falsity detection probability.
 19. (canceled)
 20. Thecomputer-readable recording medium according to claim 18, wherein saidprogram: employs (Z/pZ)̂N as confidential information data set S, where Nis a positive value, and p is a prime number; and causes the computer torandomly select elements e_0 and e_1 of Z/pZ which satisfye_0−(x_1*e_1+x_2*e_1̂2+ . . . x_{N−1}*e_1̂{N−1}+x_N*e_1̂{N+1})=0 forelements (x_1, x_2, . . . , x_N) of said confidential information dataset S, and output the same as said check data.
 21. (canceled) 22.(canceled)
 23. A computer-readable recording medium storing a programwhich causes a computer to: read distribution-coded confidentialinformation from a storage device for storing confidential informationdistribution-coded in accordance with an access structure dataindicative of an access structure of a linear secret sharing scheme,said distribution-coded confidential information corresponding to anaccess set of said access structure, and restore said confidentialinformation in accordance with said access structure data; readdistribution-coded check data from a storage device for storingdistribution-coded data of check data generated to correspond with saidconfidential information, said distribution-coded check datacorresponding to the access set of said access structure, and restoresaid check data in accordance with said access structure data; andoutput said restored confidential information when said restored checkdata corresponds to said restored confidential information, and output asignal indicative of falsity when said restored check data does notcorresponds to said restored confidential information, wherein whenarbitrary different elements of input set S input as said confidentialinformation are x_1 and x_2: an arbitrary function specifying data whichis data for uniformly specifying elements of function set H is c; a setof said function specifying data is K; a falsity detection probabilityis (1−δ), H satisfies |{b|b□K, H_b(x_1)=y, H_{b+c}(x_2)=y}|/|{b|b□K,H_b(x_1)=y}|≦δ, wherein: said program causes the computer to determinethat said restored check data correspond to said restored confidentialinformation, when said function specifying data k which is the restoredcheck data and restored confidential information x satisfy H_k(x)=y. 24.(canceled)
 25. The computer-readable recording medium according to claim23, wherein: when N is a positive value, and p is a prime number; andwhen said function specifying data e_0, e_1 which are restored checkdata and which are elements of Z/pZ, and when (x_1, x_2, . . . , x_N)which are restored confidential information and which are elements of(Z/pZ)̂N satisfy e_0−(x_1*e_1+x_2*e_1̂2+ . . .+x_{N−1}*e_1̂{N−1}+x_N*e_1̂{N+1})=0, said program causes the computer todetermine that said restored check data correspond to said restoredconfidential information.
 26. (canceled)
 27. (canceled)
 28. Acomputer-readable recording medium storing a program, said programcomprising: the program according to claim 18; and the program accordingto claim
 23. 29. (canceled)
 30. A computer-readable recording mediumstoring a program, said program comprising: the program according toclaim 20; and the program according to claim
 25. 31. (canceled)
 32. Adistributed information generator comprising: a check data generator forgenerating check data corresponding to confidential information; aconfidential information distributing device for distribution-coding theconfidential information in accordance with access structure dataindicative of an access structure of a linear secret sharing scheme; anda check data distributing device for distribution-coding the check datain accordance with access structure data indicative of the same accessstructure as the access structure in accordance with which theconfidential information is distribution-coded, wherein said check datagenerator is: a device which is applied with elements s of confidentialinformation data set S; and randomly selects and outputs functionspecifying data k for uniquely specifying elements of function set Hwhich satisfy H_k(x)=y, wherein said function set H satisfies |{b|b□K,H_b(x_1)=y, H_{a*b+c} (x_2)=y}|/|{b|b□K, H_b(x_1)=y}|≦δ for arbitraryelements x_1 and x_2 of said confidential information data set S whichdiffer from each other, and arbitrary function specifying data c of saidfunction set H, where a is an arbitrary positive integer, where Kdesignates a set of said function specifying data, and (1−δ) designatesa falsity detection probability.
 33. The distributed informationgenerator according to claim 3, wherein said check data generator:employs (Z/pZ)̂N as confidential information data set, where N is apositive integer, and p is a prime number; and randomly selects e_0 ande_1 of Z/pZ which satisfye_0−(x_1*e_1+x_2*e_1̂2++x_N*e_1̂N+e_1̂(N+1)+e_1̂(N+2)+e_1̂(N+4))=0, forelements (x_1, x_2, . . . , x_N) of said confidential information dataset S, and outputs the same as said check data.
 34. The distributedinformation generator according to claim 32, wherein an access structureof a (k,n) threshold scheme is used as the access structure of thesecret sharing scheme.
 35. A restoring device comprising: a storagedevice for storing confidential information distribution-coded inaccordance with access structure data indicative of an access structureof a linear secret sharing scheme, and distribution-coded data of checkdata generated to correspond with said confidential information; aconfidential information restoring device for reading distribution-codedconfidential information from said storage device corresponding to anaccess set of said access structure to restore said confidentialinformation in accordance with said access structure data; a check datarestoring device for reading distribution-coded check data from saidstorage device corresponding to the access set of said access structureto restore said check data in accordance with said access structuredata; and a falsity detection device for outputting restoredconfidential information when check data restored by said check datarestoring device correspond to confidential information restored by saidconfidential information restoring device, and for outputting a signalindicative of falsity when the restored check data does not correspondto the restored confidential information, wherein when arbitrarydifferent elements of input set S input as said confidential informationare x_1 and x_2: an arbitrary positive integer is a; an arbitraryfunction specifying data which is data for uniformly specifying elementsof function set H is c; a set of said function specifying data is K; afalsity detection probability is (1−δ), H satisfies |{b|b□K, H_b(x_1)=y,H_{a*b+c}(x_2)=y}|/|{b|b□K, H_b(x_1)=y}|≦δ, wherein: said falsitydetection device determines that the check data restored by said checkdata restoring device correspond to the confidential informationrestored by said confidential information restoring device, when saidfunction specifying data k which is the restored check data and restoredconfidential information x satisfy H_k(x)=y.
 36. The restoring deviceaccording to claim 8, wherein: when N is an integer, and p is a primenumber; and when said function specifying data e_0, e_1 which arerestored check data and which are elements of Z/pZ, and when (x_1, x_2,. . . , x_N) which are restored confidential information and which areelements of (Z/pZ)̂N satisfy e_0−(x_1*e_1+x_2*e_1̂2+ . . .+x_N*e_1̂N+e_1̂(N+1)+e_1̂(N+2)+e_1̂(N+4))=0, said falsity detectiondevice determines that the check data restored by said check datarestoring device corresponds to the confidential information restored bysaid confidential information restoring device.
 37. The restoring deviceaccording to claim 35, wherein an access structure of a (k,n) thresholdscheme is used as the access structure of said secret sharing scheme.38. A confidential information distribution system comprising: thedistributed information generator according to claim 32; and therestoring device according to claim
 35. 39. A confidential informationdistribution system comprising: the distributed information generatoraccording to claim 33; and the restoring device according to claim 36.40. A confidential information distribution system comprising: thedistributed information generator according to claim 34; and therestoring device according to claim
 37. 41. A computer-readablerecording medium storing a program which causes a computer to: generatecheck data corresponding to confidential information; distribution-codesaid confidential information in accordance with access structure dataindicative of an access structure of a linear secret sharing scheme, andstore the coded confidential information in a storage device; anddistribution-code the check data in accordance with access structuredata indicative of the same access structure as the access structure inaccordance with which the confidential information isdistribution-coded, and store the coded check data in the storagedevice, said program further causing the computer to receive elements sof confidential information data set S; and randomly select functionspecifying data k for uniquely specifying elements of function set Hwhich satisfy H_k(x)=y, and output the function specifying data k assaid check data, wherein said function set H satisfies |{b|b□K,H_b(x_1)=y, H_{a*b+c}(x_2)=y}|/|{b|b□K, H_b(x_1)=y}|≦δ for arbitraryelements x_1 and x_2 of said confidential information data set S whichdiffer from each other, an arbitrary positive integer a, and arbitraryfunction specifying data c of said function set H, where K designates aset of said function specifying data, and (1−δ6) designates a falsitydetection probability.
 42. The computer-readable recording mediumaccording to claim 18, wherein: (Z/pZ)̂N is employed as confidentialinformation data set S, where N is a positive value, and p is a primenumber; and said program further causes the computer to randomly selectelements e_0 and e_1 of Z/pZ which satisfy e_0−(x_1*e_1+x_2*e_1̂2+ . . .+x_N*e_1̂N+e_1̂{N+1}+e_1̂{N+2}+e_1̂{N+4})=0, for elements x_1 and x_2 ofsaid confidential information data set S, and output the same as saidcheck data.
 43. The computer-readable recording medium according toclaim 41, wherein an access structure of a (k,n) threshold scheme isused as the access structure of the secret sharing scheme.
 44. Acomputer-readable recording medium storing a program which causes acomputer to: read distribution-coded confidential information from astorage device for storing confidential information distribution-codedin accordance with access structure data indicative of an accessstructure of a linear secret sharing scheme, said distribution-codedconfidential information corresponding to an access set of said accessstructure, and restore said confidential information in accordance withsaid access structure data; read distribution-coded check data from astorage device for storing distribution-coded data of check datagenerated to correspond with said confidential information, saiddistribution-coded check data corresponding to the access set of saidaccess structure, and restore said check data in accordance with saidaccess structure data; and output said restored confidential informationwhen said restored check data corresponds to said restored confidentialinformation, and output a signal indicative of falsity when saidrestored check data does not correspond to said restored confidentialinformation, wherein when arbitrary different elements of input set Sinput as said confidential information are x_1 and x_2: an arbitrarypositive integer is a; an arbitrary function specifying data which isdata for uniformly specifying elements of function set H is c; a set ofsaid function specifying data is K; a falsity detection probability is(1−δ), H satisfies |{b|b□K, H_b(x_1)=y, H_{a*b+c}(x_2)=y}|/|{b|b□K,H_b(x_1)=y}|≦δ, wherein: said program causes the computer to determinethat said restored check data correspond to said restored confidentialinformation, when said function specifying data k which is the restoredcheck data and restored confidential information x satisfy H_k(x)=y. 45.The computer-readable recording medium according to claim 23, wherein:when N is a positive value, and p is a prime number; and when saidfunction specifying data e_0, e_1 which are restored data check data andwhich are elements of Z/pZ, and when (x_1, x_2, . . . , x_N) which arerestored confidential information and which are elements of (Z/pZ)̂Nsatisfy e_0−(x_1*e_1+x_2*e_1̂2+ . . .+x_N*e_1̂N+e_1̂{N+1}+e_1̂{N+2}+e_1̂{N+4})=0, said program causes thecomputer to determine that said restored check data correspond to saidrestored confidential information.
 46. The computer-readable recordingmedium according to claim 44, wherein an access structure of a (k,n)threshold scheme is used as the access structure of said secret sharingscheme.
 47. A computer-readable recording medium storing a program, saidprogram comprising: the program according to claim 41; and the programaccording to claim
 44. 48. A computer-readable recording medium storinga program, said program comprising: the program according to claim 42;and the program according to claim
 45. 49. A computer-readable recordingmedium storing a program, said program comprising: the program accordingto claim 43; and the program according to claim 46.